Analysis
-
max time kernel
25s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 15:23
Static task
static1
General
-
Target
76635e2a5359ec267712b33a6b6bb37c4d43d5f86ce855c6cc44939f4b14df4d.dll
-
Size
172KB
-
MD5
0a31218fbec81ec290c106ac73ee9180
-
SHA1
a495f3a230d9b37b78b85e4c2a29bf44d31ddab6
-
SHA256
76635e2a5359ec267712b33a6b6bb37c4d43d5f86ce855c6cc44939f4b14df4d
-
SHA512
4a170a52f640842ae2653e9d1b5a6ad7d0c879f85b48bec83e720b0943e553d6d5f0416aa6c638aa2364edcc65903530eb3e099a2a7867eaec31f7607a9d718b
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1592-115-0x0000000073D90000-0x0000000073DC0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 768 1592 WerFault.exe 70 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 768 WerFault.exe 768 WerFault.exe 768 WerFault.exe 768 WerFault.exe 768 WerFault.exe 768 WerFault.exe 768 WerFault.exe 768 WerFault.exe 768 WerFault.exe 768 WerFault.exe 768 WerFault.exe 768 WerFault.exe 768 WerFault.exe 768 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 768 WerFault.exe Token: SeBackupPrivilege 768 WerFault.exe Token: SeDebugPrivilege 768 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 860 wrote to memory of 1592 860 rundll32.exe 70 PID 860 wrote to memory of 1592 860 rundll32.exe 70 PID 860 wrote to memory of 1592 860 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\76635e2a5359ec267712b33a6b6bb37c4d43d5f86ce855c6cc44939f4b14df4d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\76635e2a5359ec267712b33a6b6bb37c4d43d5f86ce855c6cc44939f4b14df4d.dll,#12⤵PID:1592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 6843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-